kosli-dev / cli Goto Github PK
View Code? Open in Web Editor NEWA CLI client for reporting compliance events to https://kosli.com
Home Page: https://docs.kosli.com
License: MIT License
A CLI client for reporting compliance events to https://kosli.com
Home Page: https://docs.kosli.com
License: MIT License
The PR is https://github.com/kosli-dev/cli/tree/print-tags-in-sorted-order
It fails because, it says, the % coverage has gone down.
I cannot see why.
I vaguely recall Sami having a way to fix this but he is off and there is no help in the cli readme.
Describe organizations, environments, pipelines
plus any additional pages that we may need to make Kosli easier to understand for newcomers
In the new kosli attest artifact
the documentation says
--git-commit yourCommitShaThatThisArtifactWasBuiltFrom \
but the flag is not part of the command
Error: unknown flag: --git-commit
The flag was renamed to --commit
, but the example is outdated
when I use kosli env get
command the pipeline is printed as N/A for an artifact that we actually have a provenance of (for 'compliancedb' org):
$ kosli env get prod-aws
COMMIT ARTIFACT PIPELINE RUNNING_SINCE REPLICAS
N/A Name: 358426185766.dkr.ecr.eu-central-1.amazonaws.com/adot:v0.21.0 N/A 12 days ago 1
Fingerprint: 8cbf709ad4c4eb3d5edcd33a806b9d2903d48945a897047c6ab184d2445dd6c3
3051844 Name: 358426185766.dkr.ecr.eu-central-1.amazonaws.com/merkely:3051844 N/A 12 days ago 1
Fingerprint: 5485d80e21b760b0257c5cd837bc2ac6bebcf0cb625d3e9e95812358e2bffb79
$ kosli artifact get merkely@5485d80e21b760b0257c5cd837bc2ac6bebcf0cb625d3e9e95812358e2bffb79
Name: 772819027869.dkr.ecr.eu-central-1.amazonaws.com/merkely:3051844
Pipeline: merkely
Fingerprint: 5485d80e21b760b0257c5cd837bc2ac6bebcf0cb625d3e9e95812358e2bffb79
Created on: Thu, 03 Nov 2022 10:35:22 CET • 12 days ago
Git commit: 305184489c866e5d71def6aa6fe517e8bcbcc9ff
Commit URL: https://github.com/kosli-dev/server/commit/305184489c866e5d71def6aa6fe517e8bcbcc9ff
Build URL: https://github.com/kosli-dev/server/actions/runs/3384506568
State: COMPLIANT
Running in environments: dnb-aws#250, modulr#142, prod-aws#297, stacc#257
Exited from environments: azure-staging-aws#1822, staging-aws#2274
History:
Artifact created Thu, 03 Nov 2022 10:35:22 CET
unit-test evidence received Thu, 03 Nov 2022 10:36:48 CET
unit-test-coverage evidence received Thu, 03 Nov 2022 10:36:49 CET
integration-test evidence received Thu, 03 Nov 2022 10:37:21 CET
integration-test-coverage evidence received Thu, 03 Nov 2022 10:37:22 CET
Deployment #5433 to staging-aws environment Thu, 03 Nov 2022 10:38:34 CET
Deployment #5434 to azure-staging-aws environment Thu, 03 Nov 2022 10:38:43 CET
Started running in staging-aws#2273 environment Thu, 03 Nov 2022 10:40:22 CET
Started running in azure-staging-aws#1820 environment Thu, 03 Nov 2022 10:40:24 CET
Deployment #5435 to modulr environment Thu, 03 Nov 2022 10:43:41 CET
Deployment #5436 to dnb-aws environment Thu, 03 Nov 2022 10:43:44 CET
Deployment #5437 to stacc environment Thu, 03 Nov 2022 10:43:45 CET
Approval #280 created Thu, 03 Nov 2022 10:43:46 CET
Approval #280 approved by external://External Thu, 03 Nov 2022 10:43:46 CET
Deployment #5438 to prod-aws environment Thu, 03 Nov 2022 10:43:47 CET
Started running in prod-aws#297 environment Thu, 03 Nov 2022 10:44:56 CET
Started running in dnb-aws#250 environment Thu, 03 Nov 2022 10:45:38 CET
Started running in stacc#257 environment Thu, 03 Nov 2022 10:45:45 CET
Started running in modulr#142 environment Thu, 03 Nov 2022 10:45:45 CET
No longer running in staging-aws#2274 environment Thu, 03 Nov 2022 12:00:22 CET
No longer running in azure-staging-aws#1822 environment Thu, 03 Nov 2022 12:00:24 CET
In Frende meeting on 22/10/21 Hakon was unable to use the reporter to calculate digest/fingerprint for a directory because other processes had a file lock on one or more files in the directory.
I incorrectly report an error if an ARTIFACT-NAME is provided without
an --artifact-type
flag. This needs to not happen if the --fingerprint
is provided.
The text for the kosli fingerprint
command has a few small bugs...
--artifact-type
flag reads-t, --artifact-type string | [conditional] The type of the artifact to calculate its SHA256 fingerprint.
One of: [docker, file, dir]. Only required if you don't specify '--fingerprint'.
This is the correct text for a general attest
command, but for the kosli fingerprint
command the --artifact-type
flag is required.
When fingerprinting a 'dir' artifact, you can exclude certain paths from fingerprint calculation using the
--exclude flag. Excluded paths are relative to the artifact path(s) and can be literal paths or glob patterns.
I think this would be slightly better as:
When fingerprinting a 'dir' artifact, you can exclude certain paths from the fingerprint calculation using the
--exclude flag. Excluded paths are relative to the DIR-PATH and can be literal paths or glob patterns.
There is currently no kosli list trails
command.
Logically, I think there should be.
In https://docs.kosli.com/client_reference/kosli_pipeline_approval_request/#synopsis
the entry for --repo-root
is missing its leading [default]
I have briefly looked at this:
Any attest command (that is not attest-artifact) basically has three forms:
Number 1 relies on their being a previous attest-artifact for the supplied fingerprint.
Number 2 also relies on their being a previous attest-artifact for the calculated fingerprint.
Number 3 relies on a git-commit to "commit-join" to a previous attest-artifact for that commit
The kosli-attest artifact command currently requires a git repo to be present.
Eg when you try a command like this, with --repo-root
defaulting to . where there is no git repo:
kosli attest artifact ${FILENAME} --fingerprint=${FINGERPRINT} --name=alpha --build-url=https://a.b.c --commit-url=https://a.b.c
or like this
kosli attest artifact ${FILENNAME} --artifact-type=file --name=alpha --build-url=https://a.b.c --commit-url=https://a.b.c
You get the following error:
Error: failed to open git repository at .: repository does not exist
So, at present, it appears that all the kosli-attest command require, directly or indirectly, a git repo to be present
Describe the issue
We have to support multiple different CI environments for CLI reporting. We are currently hand crafting this each time.
The Cucumber team have an open source library that does a similar thing: https://github.com/cucumber/ci-environment
This has support for multiple languages including Go.
We might want to fork or extend it for our usecase.
When entering an env report <env-type>
command in the CLI (ie: ./merkely environment report server
), the help does not show like for other commands, instead the following error is returned: Error: environment name is required
Our daily snyk scan of the server is failing with this...
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x8 pc=0xa9ed38]
See https://github.com/kosli-dev/server/actions/runs/8567365373/job/23479015177#step:7:44
Looks like it is the same kind of error we've seen before, involving the CLI and json decoding.
Currently the approver for an approver is hard coded as External
. I need to be able to specify the approver as a parameter e.g
kosli report approval $(cat output/tagged_image)
--fingerprint=$(cat output/fingerprint)
--description="Approved in Gitlab pipeline"
--oldest-commit=origin/production
--approver="${GITLAB_USER_NAME} <${GITLAB_USER_EMAIL}>"
This affects: https://staging-docs--kosli-docs.netlify.app/
The issue seems to be that the /search
page does not exist on the staging site, so the action of the search form defaults to the current page.
we're still using old (1.5.9) version of cli in helm chart, time to update
can we make it always latest? does it even make sense?
make build
creates the binary in the current directory. Probably should put it into a build
subdirectory.
👋 it looks like 2.8.8 release was not completed, ie the latest release did not get created. Raise this issue for some awareness. Thanks!
relates to Homebrew/homebrew-core#167117
additional stuff discovered on the way
The cyber-dojo live-snyk-scans run a script which attests the result of each snyk scan twice, once for the Trail representing the live-snyk-scan, and once more for the original Trail that built the Artifact
snyk container test ...
kosli attest snyk ...
kosli attest snyk ...
Several times I have got an error in one of the kosli attest snyk
commands and it is very difficult to tell which attest-snyk command is failing (this is in a script remember). It is sufficiently tricky that I now do a set +e/set -e
around the attest-snyk command and do my own error reporting.
See https://github.com/cyber-dojo/live-snyk-scans/blob/7b967a8dd6140a5b987a22d9673cad8b37fd656b/snyk_scan_live_artifacts_and_attest_to_kosli.sh#L120
It would be good, when a CLI command fails, if it could print the command, the Flow, and the Trail, as well as the diagnostic.
reporting ecs requires environment variables, reporting lambda requires environment variables OR flags - can we unify?
help for ecs:
[...]
Examples:
# report what is running in an entire AWS ECS cluster:
export AWS_REGION=yourAWSRegion
export AWS_ACCESS_KEY_ID=yourAWSAccessKeyID
export AWS_SECRET_ACCESS_KEY=yourAWSSecretAccessKey
kosli environment report ecs yourEnvironmentName \
--api-token yourAPIToken \
--owner yourOrgName
Flags:
-C, --cluster string The name of the ECS cluster.
-h, --help help for ecs
-s, --service-name string The name of the ECS service.
Global Flags:
-a, --api-token string The Kosli API token.
-c, --config-file string [optional] The Kosli config file path. (default "kosli")
-D, --dry-run [optional] Whether to run in dry-run mode. When enabled, data is not sent to Kosli and the CLI exits with 0 exit code regardless of errors.
-H, --host string [defaulted] The Kosli endpoint. (default "https://app.kosli.com")
-r, --max-api-retries int [defaulted] How many times should API calls be retried when the API host is not reachable. (default 3)
--owner string The Kosli user or organization.
-v, --verbose [optional] Print verbose logs to stdout.
help for lambda:
[...]
Examples:
# report what is running in the latest version AWS Lambda function (AWS auth provided in env variables):
export AWS_REGION=yourAWSRegion
export AWS_ACCESS_KEY_ID=yourAWSAccessKeyID
export AWS_SECRET_ACCESS_KEY=yourAWSSecretAccessKey
kosli environment report lambda myEnvironment \
--function-name yourFunctionName \
--api-token yourAPIToken \
--owner yourOrgName
# report what is running in a specific version of an AWS Lambda function (AWS auth provided in flags):
kosli environment report lambda myEnvironment \
--function-name yourFunctionName \
--function-version yourFunctionVersion \
--aws-key-id yourAWSAccessKeyID \
--aws-secret-key yourAWSSecretAccessKey \
--aws-region yourAWSRegion \
--api-token yourAPIToken \
--owner yourOrgName
Flags:
--aws-key-id string The AWS access key ID.
--aws-region string The AWS region.
--aws-secret-key string The AWS secret key.
--function-name string The name of the AWS Lambda function.
--function-version string [optional] The version of the AWS Lambda function.
-h, --help help for lambda
Global Flags:
-a, --api-token string The Kosli API token.
-c, --config-file string [optional] The Kosli config file path. (default "kosli")
-D, --dry-run [optional] Whether to run in dry-run mode. When enabled, data is not sent to Kosli and the CLI exits with 0 exit code regardless of errors.
-H, --host string [defaulted] The Kosli endpoint. (default "https://app.kosli.com")
-r, --max-api-retries int [defaulted] How many times should API calls be retried when the API host is not reachable. (default 3)
--owner string The Kosli user or organization.
-v, --verbose [optional] Print verbose logs to stdout.
In the CLI docs page for kosli attest junit
there is the following example (See https://docs.kosli.com/client_reference/kosli_attest_junit/#examples-use-cases)
# report a junit attestation about an artifact which has not been reported yet in a trail
kosli attest junit \
--name yourTemplateArtifactName.yourAttestationName \
--flow yourFlowName \
--trail yourTrailName \
--results-dir yourFolderWithJUnitResults \
--api-token yourAPIToken \
--org yourOrgName
I have created a server branch dotted-name-docs-examples with a script that runs a command similar to the one above
If you check out the branch you can try the script as follows:
make demo
./demo/uses_cases/attest_dotted_junit.sh
The error you get for the kosli attest junit
command is:
Error: an attestation targeting artifacts ['outer'] requires at least one of: specifying the fingerprint (either by calculating it using the
artifact name/path and --artifact-type, or by providing it using --fingerprint) or providing --commit (requires an available git repo to
access commit details)
So as a minimum I think we need to add a --commit
flag to the example.
There are also similar CLI docs example pages with no --commit
for:
I have created a PR on the CLI to tweak the documentation examples
#296 (This PR also fixes some new go lint errors)
👋 it looks like 2.8.9 release was not completed, ie the github release did not get created as 2.8.8, raise this issue for some awareness. Thanks!
relates to Homebrew/homebrew-core#169537
If I try the following command (from a working-directory that has a git repo):
kosli attest generic \
--commit=$(git rev-parse HEAD) \
--flow=${FLOW} \
--trail=${TRAIL} \
--name=wibble.fubar
then the command succeeds (it's the equivalent of the old report ... commit
)
In this case, the attestation is, logically, against the Artifact:
--fingerprint
[IMAGE_NAME]--artifact-type
--name=wibble.fubar
.So the wording:
If the attestation is attached to an artifact, the artifact SHA256 fingerprint is calculated (based on the --artifact-type flag) or can be provided directly (with the --fingerprint flag).
is not correct.
As I see it, there are 4 "target" choices when attesting:
--name
--name
--fingerprint
(IMAGE_NAME not required)--artifact-type
(IMAGE_NAME required)In the help for the flags:
the --artifact-type
flag is marked as [conditional]
whereas
the --fingerprint
flag is marked as [optional]
Is it clearer to say that both are now [conditional]
(or [optional]
) given that you can attest against a trail ?
Most commands have an example of attesting against a trail (at the bottom of the page), and those commands have
neither an --artifact-type
nor a --fingerprint
flag.
Some pages, eg kosli attest jira, say
The artifact SHA256 fingerprint is calculated (based on the --artifact-type flag) or can be provided directly (with the --fingerprint flag).
Other pages, eg kosli attest pullrequest github, say
If the attestation is attached to an artifact, The artifact SHA256 fingerprint is calculated (based on the --artifact-type flag) or can be provided directly (with the --fingerprint flag).
If I try the following command (from a working-directory that has a git repo)
which has no --fingerprint
and no [IMAGE_NAME]--artifact-type
kosli attest generic \
--flow=${FLOW} \
--trail=${TRAIL} \
--name=wibble.fubar
then the error I get is:
Error: an attestation targeting artifacts ['wibble'] requires at least one of: artifact_fingerprint or git_commit_info.
At the bottom of
https://docs.kosli.com/client_reference/kosli_environment_report_server/
There is this...
--paths a/b/c, e/f/g \
Is this right?
Or does it need to be
--paths a/b/c,e/f/g \
This also occurs at the bottom of
https://docs.kosli.com/how_to/record/
Print detailed information on every file/dir name and content that contribute to the fingerprint calculation.
Make sure this information and its format is identical to merkely/change (which must also support this option).
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.